I have seen people using UUID for authentication token generation. However, in RFC 4122 it is stated that

Do not assume that UUIDs are hard to guess; they should not be used
as security capabilities (identifiers whose mere possession grants
access), for example.

I was wondering, what algorithms are used for example in Java and .NET for SessionId/AuthenticationToken generation. Is UUID indeed unsuitable for these purposes in an application that has more than average security needs?

1 Answer
1

UUID generation is random, but random with bad entropy means that you will end up with easy to guess UUIDs. If you use a good random number generator, you can generate UUIDs that can be used for sessions. The catch to this, however, is that UUIDs don't have built-in re-play prevention, tampering, fixation, etc., you have to handle that on your own (read: a UUID by itself shouldn't be considered a valid session ID by itself). That said, here's a good snippet for how you would generate a secure UUID using python: